"If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops."

Reuters, which says it wasn't able to ascertain the man's identity, says that a source described the hacker as "living with his mom in a small home trying to help pay the bills" and said Uber's security team chose not to pursue legal measures against him as it believed he posed no further threat.

The man signed a nondisclosure agreement and submitted his systems for a full digital forensic analysis to verify that all Uber data had been expunged, Reuters reports.

Desperately Seeking Details

More details about the massive Uber data breach that it first disclosed on Nov. 21 continue to come to light.

"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who stepped into the driver's seat at Uber as CEO in September, said in a Nov. 21 statement. "We are changing the way we do business."

Despite senior officials inside Uber knowing about the breach for more than a year, however, and Khosrowshahi launching a thorough investigation more than two months ago after he learned about it, the ride-sharing platform has yet to come clean on multiple fronts.

6 Uber Breach Questions

Here's a short list of outstanding Uber data breach questions:

Why did Uber wait more than a year to alert 57 million riders and drivers that their data may have been compromised?

But the scale of the payment exceeds any bug bounty awarded via the program to date.

"If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops," Luta Security founder Katie Moussouris, a former HackerOne executive, tells Reuters.

If it was a legitimate bug bounty payment, why didn't Uber come clean and comply with laws that require anyone whose personal information may have been exposed to be notified?

Paying a ransom isn't illegal, not should it be.Evading breach notification laws is illegal because the laws were made to stop companies from covering up when PII is or was in unauthorized hands.Don't conflate ransom risk management (ok) w breach notification cover-up (not ok).

GitHub: TMI Alert

Besides the $100,000 payoff to the Florida-based hacker, Reuters reports that Uber also paid a second individual in connection with sensitive information unearthed via Uber code shared to the GitHub code-sharing service. It's not clear if it was this data, uploaded by Uber to GitHub, that may have enabled the Florida man to access Uber's systems.

A GitHub spokeswoman tells me that "this was not the result of a failure of GitHub's security," although declined to comment further on individual accounts. Instead, she warned: "Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse."

Uber didn't immediately respond to a request for comment.

But this wouldn't be the first time Uber insiders apparently overshared to GitHub. In early 2015, Uber warned that it suffered a breach in September 2014 after it inadvertently posted application programming interfaces for its website to GitHub. Uber then requested that a court order a subpoena of GitHub to obtain a complete list of all users who accessed the a GitHub "gist" - repository - that contained an API as well as script for directly accessing Uber's back-end systems (see Uber Breach Affects 50,000 Drivers).

GitHub declined to comment about whether Uber issued a similar subpoena demand in the wake of this latest incident. "Due to legal and privacy concerns, we cannot comment on any matters relating to subpoenas for user account data," the spokeswoman says. But the company did confirm that the two incidents involving posts to GitHub that inadvertently contained sensitive information were not connected.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.